Re: firewalls and the incoming traffic problem

["Paul D. Robertson" <proberts () clark net>]

On Sun, 28 Sep 1997, Marcus J. Ranum wrote:

>       - Firewalls are good at providing access control
>       on return traffic that is in response to a request
>       that originated behind the firewall
>       - Firewalls are poor at providing access control
>       on "unsolicited" incoming traffic to generic
>       services that are "required" as part of being on
>       the Internet

or even seemingly "solicited" incoming traffic.  Tunnels are a fact of 
life, and they'll just get worse as we move forward.  That's why I'd like 
to see *official* MITM addressed in protocol specifications.  If we're 
to _really_ take a stab at continuing to provide security and assurance 
levels, we *need* to be able to examine data.

The other thing that folks seem to not understand about MITM attacks, 
especially on VPNs, and the like is that if you break the boundry of 
encryption by allowing unencrypted access to either endpoint, you're 
half-way down the path of compromise.  Add that to the boneheaded 
product designers who don't allow keychange intervals without dropping 
the connection and combine it with weak encryption, and VPNs will start 
failing not long out the door. 

> Summary: firewalls originally offered the promise that
> you could "install a firewall and not worry about your
> internal security."  Now, it's clear that firewalls force

That didn't hold true then, and it holds true less now.  You can't never 
worry about internal security.  My current trend is to firewall to 
provide zones of control (administrative, protocol, business, security, 
physical), and get a better overall seperation of traffic destined for a 
network, and traffic transited over a network.  Network compartmentalization is a 
good thing, and locking down all the interchanges on a network is a start, and where 
firewalling still holds some perception of value to me.

> If I'm going to have to worry about the host security
> and the server side s/w on my internal systems, why
> shouldn't I just use a router with gross-level filtering
> to channel traffic into a few carefully configured
> backend servers? The "hard part" is doing the backend
> configuration anyhow!!

Because it's helpful to provide lower layer protection to those back-end 
servers, which will need all the wiz-bang stuff that folks want, and 
therefore be current rather than stable.  Also, it's good to be able to 
enforce some application level control over traffic.  Being able to 
intercept mail from certain destinations, active components, URLs, do 
application layer re-direction for diagnostic, re-routing, or policy choices, and a 
bunch of stuff that gets overly complex at the packet layer, and pretty easy at the 
application one.

> What's worrying me is all the folks I've seen who put
> a firewall in, and believe it is going to somehow protect
> the incoming traffic. :( I had a consulting gig where

Or tunneling traffic.  Firewalls aren't fire and forget, and there is a 
vast mis-perception that once you have one, you're safe.  You're _safer_ 
than without, but even beyond the usual 'total security' arguments, 
people need to understand that firewalls and Internet security are 
necessarily technical, time consuming, and difficult.  

If you're not watching all the time, analyzing everything, and constantly up-to-date, 
controling desktop software versions and configs, blocking most of what 
'everyone wants' but can't justify business-wise, and constantly tightening things 
down, then you're still a *great* target.  If you're doing all of that and more, then 
you're still a target, and you can still miss things, but it gives a much higher level 
of assurance that you'll catch it before it gets really bad.

> I'm not saying that "firewalls are dead" because this
> problem has always been there and firewalls DO serve
> a purpose. The fact is that sites with firewalls get broken
> into less often that sites without. But - are a majority
> of firewall users falsely confident?

Undoubtably, most firewall Admins are falsely confident, or too ignorant 
of the issues to maintain a reasonable level of paranoia.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280